Platform
MITRE ATT&CK® coverage mapping
Intel Fusion measures every cyber threat intelligence source in your portfolio against the MITRE ATT&CK® matrix. The result is a quantitative answer to two questions every CTI program eventually has to answer: which techniques are we covering, and which sources are responsible for that coverage?
From feed inventory to coverage posture
Most CTI programs can list their feeds. Far fewer can answer "what techniques do those feeds collectively cover?" — and that gap shows up at the worst possible time, in front of leadership or during an incident review. Intel Fusion closes the gap by treating ATT&CK as the unit of measurement. Sources are scored against all 14 enterprise tactics and the techniques beneath them, producing a coverage matrix that is a defensible artifact in its own right.
Coverage is reported at three levels. Per-source coverage shows what a single feed claims. Portfolio coverage shows the union — the probability that at least one source covers a given technique. And weighted coverage applies risk weighting so techniques favored by your relevant adversary groups count more than techniques you will rarely encounter.
Why the union matters
A single source at 92% portfolio coverage does the heavy lifting. Adding a second source rarely doubles your coverage; it fills the remaining 8% if you are lucky, and duplicates the existing 92% if you are not. Intel Fusion computes the union as P = 1 − ∏(1 − cᵢ) for each active source, then attributes incremental coverage to each addition. This is how you tell the difference between a feed that closes a gap and a feed that piles onto an already-covered surface.
Tactics, techniques, and sub-techniques
Tactic-level coverage is useful for executive briefings: it answers "do we have Initial Access covered?" Technique-level coverage is useful for analysts: T1190 Exploit Public-Facing Application is covered by which sources, at what fidelity, and how recent is the intelligence? Sub-technique coverage is where rationalization decisions become precise — two feeds that both cover T1566 Phishing may diverge at the sub-technique level, and one of them might be the only source for T1566.003 Spearphishing via Service.
The methodology behind these mappings is documented on the ATT&CK technique mapping page, including how Intel Fusion handles partial coverage, source-claimed coverage versus observed coverage, and how mappings are kept current as ATT&CK evolves.
Coverage gaps you can act on
A gap is only useful if it leads somewhere. Intel Fusion pairs the coverage matrix with sourcing recommendations: if T1486 Data Encrypted for Impact is uncovered, the recommendation engine surfaces the candidate sources from the catalog that fill it, ranked by acquisition cost, license terms, and contribution to your weighted coverage. Recommendations cite the underlying coverage math so the case is transparent.
For organizations operating under specialized profiles — for example the NNSA Cyber Threat Profile — Intel Fusion supports framework overlays so coverage is measured against the profile, not just generic ATT&CK.
Related
Measure your CTI portfolio against ATT&CK.
Request a demo to see your portfolio's tactic-level coverage and the gaps that need sourcing.